Skip to content

Fix checkRoleEscalation performance and bugs in access checking#12973

Open
nvazquez wants to merge 15 commits intoapache:4.22from
shapeblue:422-fix-checkroleescalation-performance
Open

Fix checkRoleEscalation performance and bugs in access checking#12973
nvazquez wants to merge 15 commits intoapache:4.22from
shapeblue:422-fix-checkroleescalation-performance

Conversation

@nvazquez
Copy link
Copy Markdown
Contributor

@nvazquez nvazquez commented Apr 7, 2026

Description

This PR fixes performance issues and bugs in AccountManagerImpl.checkRoleEscalation(Account, Account).

Performance problem: The method iterated all ~742 API commands individually, calling checkApiAccess for each command through 2 API checkers. DynamicRoleBasedAPIAccessChecker.checkAccess(Account, String) made a redundant uncached DB call on every invocation, ignoring already-cached data from
getRolePermissionsUsingCache(). Additionally, ProjectRoleBasedApiAccessChecker.checkAccess(Account, String) always returns true but was still called 742 times.

Impact before fix: ~1,484 DB calls per checkRoleEscalation invocation for non-admin roles.
Impact after fix: ~2 DB calls (or 0 with warm cache).

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • Build/CI
  • Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

sliceofapplepie and others added 14 commits April 7, 2026 09:11
@sliceofapplepie @nvazquez
Fix checkRoleEscalation performance and bugs in access checking
429c945 
Replace per-API-command loop (~1,484 DB calls) with batch
getApisAllowedToAccount calls using cached role permissions, reducing
to ~2 DB calls (or 0 with warm cache). Fix NPE on pde.getAccount(),
format string mismatch (3 %s but 4 args), and use cached permissions
in DynamicRoleBasedAPIAccessChecker.checkAccess(Account, String).
@sliceofapplepie @nvazquez
Add tests for checkRoleEscalation, checkAccess, and getApisAllowedToA…
7055bf2 
…ccount

Add tests for DynamicRoleBasedAPIAccessChecker covering checkAccess(Account,
String) and getApisAllowedToAccount including cache verification, admin
pass-through, allow/deny filtering, and annotation fallback. Add tests for
AccountManagerImpl.checkRoleEscalation covering same permissions, caller
superset, escalation detection, empty API list, and multi-checker chaining.
@sliceofapplepie @nvazquez
Add debug logging exception
098ba06
@sliceofapplepie @nvazquez
make logging vars consistent to other files
f84ed2a
@sliceofapplepie @nvazquez
Potential fix for pull request finding
5996ee1 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@sliceofapplepie @nvazquez
Potential fix for pull request finding
d6289b6 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@sliceofapplepie @nvazquez
Potential fix for pull request finding
5dce6fc 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@sliceofapplepie @nvazquez
Potential fix for pull request finding
3b5c919 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@sliceofapplepie @nvazquez
Potential fix for pull request finding
d0cad25 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@sliceofapplepie @nvazquez
fix complation and test
987b3b3
@sliceofapplepie @nvazquez
fix mokito UnnecessaryStubbing
8e04b15
@sliceofapplepie @nvazquez
fix cachePeriodField illegal arg
63ae895
@sliceofapplepie @nvazquez
fix null test
4eda50e
@nvazquez
Fix build
5b1aca4
@nvazquez nvazquez added this to the 4.22.1 milestone Apr 7, 2026
@nvazquez nvazquez mentioned this pull request Apr 7, 2026
Closed
14 tasks
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 7, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 58.46154% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.61%. Comparing base (4708121) to head (3a3df82).

Files with missing lines Patch % Lines
...ain/java/org/apache/cloudstack/acl/APIChecker.java 6.66% 14 Missing ⚠️
...loudstack/acl/StaticRoleBasedAPIAccessChecker.java 0.00% 9 Missing ⚠️
...oudstack/acl/ProjectRoleBasedApiAccessChecker.java 0.00% 3 Missing ⚠️
...oudstack/acl/DynamicRoleBasedAPIAccessChecker.java 94.44% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff            @@
##               4.22   #12973   +/-   ##
=========================================
  Coverage     17.60%   17.61%           
- Complexity    15677    15691   +14     
=========================================
  Files          5918     5919    +1     
  Lines        531681   531726   +45     
  Branches      65005    65014    +9     
=========================================
+ Hits          93623    93649   +26     
- Misses       427498   427514   +16     
- Partials      10560    10563    +3
Flag Coverage Δ
uitests 3.70% <ø> (ø)
unittests 18.68% <58.46%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nvazquez
Copy link
Copy Markdown
Contributor Author

nvazquez commented Apr 7, 2026

@blueorangutan package

@blueorangutan
Copy link
Copy Markdown

blueorangutan commented Apr 7, 2026

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

@blueorangutan
Copy link
Copy Markdown

blueorangutan commented Apr 7, 2026

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✖️ debian ✔️ suse15. SL-JID 17387

@nvazquez
Copy link
Copy Markdown
Contributor Author

nvazquez commented Apr 7, 2026

@blueorangutan test

@blueorangutan
Copy link
Copy Markdown

blueorangutan commented Apr 7, 2026

@nvazquez a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

@bernardodemarco bernardodemarco self-requested a review April 7, 2026 17:27
@sureshanaparti sureshanaparti moved this from Todo to In Progress in Apache CloudStack 4.22.1 Apr 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weizhouapache weizhouapache weizhouapache approved these changes

@shwstppr shwstppr Awaiting requested review from shwstppr

@Pearl1594 Pearl1594 Awaiting requested review from Pearl1594

@sureshanaparti sureshanaparti Awaiting requested review from sureshanaparti

@borisstoyanov borisstoyanov Awaiting requested review from borisstoyanov

@bernardodemarco bernardodemarco Awaiting requested review from bernardodemarco

Assignees

No one assigned

Labels

component:api component:projects enhancement

Projects

Apache CloudStack 4.22.1
Status: In Progress

Milestone

4.22.1

Development

Successfully merging this pull request may close these issues.

5 participants

@nvazquez @blueorangutan @weizhouapache @sureshanaparti @sliceofapplepie